diff --git a/debian/changelog b/debian/changelog index 5484afc..2bc8e52 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,15 @@ -shim (15.7-2) UNRELEASED; urgency=medium +shim (15.8-1) UNRELEASED; urgency=medium [ Steve McIntyre ] * Cope with changes in pesign packaging. + * New upstream release fixing more bugs + * Remove all our existing patches, no longer needed: + + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now + upstream) + + Enable-NX.patch (we don't want NX just yet until the whole boot + stack is NX-capable) + + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT + is 4) [ Bastien Roucariès ] * Port autopkgtest from ubuntu @@ -9,7 +17,7 @@ shim (15.7-2) UNRELEASED; urgency=medium shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009). * Fix debian/watch and check signature - -- Bastien Roucariès Mon, 29 Apr 2024 09:55:13 +0000 + -- Steve McIntyre <93sam@debian.org> Thu, 25 Apr 2024 22:16:12 +0100 shim (15.7-1) unstable; urgency=medium diff --git a/debian/patches/Enable-NX.patch b/debian/patches/Enable-NX.patch deleted file mode 100644 index bb7e766..0000000 --- a/debian/patches/Enable-NX.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit 7c7642530fab73facaf3eac233cfbce29e10b0ef -Author: Peter Jones -Date: Thu Nov 17 12:31:31 2022 -0500 - - Enable the NX compatibility flag by default. - - Currently by default, when we build shim we do not set the PE - NX-compatibility DLL Characteristic flag. This signifies to the - firmware that shim (including the components it loads) is not prepared - for several related firmware changes: - - - non-executable stack - - non-executable pages from AllocatePages()/AllocatePool()/etc. - - non-writable 0 page (not strictly related but some firmware will be - transitioning at the same time) - - the need to use the UEFI 2.10 Memory Attribute Protocol to set page - permissions. - - This patch changes that default to be enabled by default. Distributors - of shim will need to ensure that either their builds disable this bit - (using "post-process-pe -N"), or that the bootloaders and kernels you - support loading are all compliant with this change. A new make - variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. - - Signed-off-by: Peter Jones - -diff --git a/BUILDING b/BUILDING -index 3b2e85d3..17cd98d3 100644 ---- a/BUILDING -+++ b/BUILDING -@@ -78,6 +78,9 @@ Variables you could set to customize the build: - - OSLABEL - This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. - By default this is the same value as EFIDIR . -+- POST_PROCESS_PE_FLAGS -+ This allows you to add flags to the invocation of "post-process-pe", for -+ example to disable the NX compatibility flag. - - Vendor SBAT data: - It will sometimes be requested by reviewers that a build includes extra -diff --git a/Make.defaults b/Make.defaults -index c46164a3..9af89f4e 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \ - $(INCLUDES) \ - $(DEFINES) - -+POST_PROCESS_PE_FLAGS = -+ - ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) - DEFINES += -DOVERRIDE_SECURITY_POLICY - endif -diff --git a/Makefile b/Makefile -index a9202f46..f0f53f8f 100644 ---- a/Makefile -+++ b/Makefile -@@ -255,7 +255,7 @@ endif - -j .rela* -j .dyn -j .reloc -j .eh_frame \ - -j .vendor_cert -j .sbat -j .sbatlevel \ - $(FORMAT) $< $@ -- ./post-process-pe -vv $@ -+ ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@ - - ifneq ($(origin ENABLE_SHIM_HASH),undefined) - %.hash : %.efi -diff --git a/post-process-pe.c b/post-process-pe.c -index de8f4a38..f39fdddf 100644 ---- a/post-process-pe.c -+++ b/post-process-pe.c -@@ -42,7 +42,7 @@ static int verbosity; - 0; \ - }) - --static bool set_nx_compat = false; -+static bool set_nx_compat = true; - - typedef uint8_t UINT8; - typedef uint16_t UINT16; diff --git a/debian/patches/Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch b/debian/patches/Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch deleted file mode 100644 index df272c0..0000000 --- a/debian/patches/Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 5 Dec 2022 17:57:36 -0500 -Subject: [PATCH] Make sbat_var.S parse right with buggy gcc/binutils - -In https://github.com/rhboot/shim/issues/533 , iokomin noticed that -gas in binutils before 2.36 appears to be incorrectly concatenating -string literals in '.asciz' directives, including an extra NUL character -in between the strings, and this will cause us to incorrectly parse the -.sbatlevel section in shim binaries. - -This patch adds test cases that will cause the build to fail if this has -happened, as well as changing sbat_var.S to to use '.ascii' and '.byte' -to construct the data, rather than using '.asciz'. - -Signed-off-by: Peter Jones ---- - include/test.mk | 2 +- - sbat_var.S | 6 ++++-- - test-sbat.c | 32 ++++++++++++++++++++++++++++++++ - 3 files changed, 37 insertions(+), 3 deletions(-) - -diff --git a/include/test.mk b/include/test.mk -index c0e24095..c37b8446 100644 ---- a/include/test.mk -+++ b/include/test.mk -@@ -92,7 +92,7 @@ test-mock-variables: CFLAGS+=-DHAVE_SHIM_LOCK_GUID - test-mok-mirror_FILES = mok.c globals.c tpm.c lib/guid.c lib/variables.c mock-variables.c - test-mok-mirror: CFLAGS+=-DHAVE_START_IMAGE -DHAVE_SHIM_LOCK_GUID - --test-sbat_FILES = csv.c lib/variables.c lib/guid.c sbat_var.S -+test-sbat_FILES = csv.c lib/variables.c lib/guid.c sbat_var.S mock-variables.c - test-sbat :: CFLAGS+=-DHAVE_GET_VARIABLE -DHAVE_GET_VARIABLE_ATTR -DHAVE_SHIM_LOCK_GUID - - test-str_FILES = lib/string.c -diff --git a/sbat_var.S b/sbat_var.S -index a115077a..2a813a40 100644 ---- a/sbat_var.S -+++ b/sbat_var.S -@@ -14,7 +14,9 @@ sbat_var_payload_header: - .Lsbat_var_payload_header_end: - .balign 1, 0 - .Lsbat_var_previous: -- .asciz SBAT_VAR_PREVIOUS -+ .ascii SBAT_VAR_PREVIOUS -+ .byte 0 - .balign 1, 0 - .Lsbat_var_latest: -- .asciz SBAT_VAR_LATEST -+ .ascii SBAT_VAR_LATEST -+ .byte 0 -diff --git a/test-sbat.c b/test-sbat.c -index 72bebe7a..65bc6a84 100644 ---- a/test-sbat.c -+++ b/test-sbat.c -@@ -1107,6 +1107,36 @@ test_preserve_sbat_uefi_variable_bad_short(void) - return 0; - } - -+static int -+test_sbat_var_asciz(void) -+{ -+ EFI_STATUS status; -+ char buf[1024] = ""; -+ UINT32 attrs = 0; -+ UINTN size = sizeof(buf); -+ char expected[] = SBAT_VAR_PREVIOUS; -+ -+ status = set_sbat_uefi_variable(); -+ if (status != EFI_SUCCESS) -+ return -1; -+ -+ status = RT->GetVariable(SBAT_VAR_NAME, &SHIM_LOCK_GUID, &attrs, &size, buf); -+ if (status != EFI_SUCCESS) -+ return -1; -+ -+ /* -+ * this should be enough to get past "sbat,", which handles the -+ * first error. -+ */ -+ if (size < (strlen(SBAT_VAR_SIG) + 2) || size != strlen(expected)) -+ return -1; -+ -+ if (strncmp(expected, buf, size) != 0) -+ return -1; -+ -+ return 0; -+} -+ - int - main(void) - { -@@ -1155,6 +1185,8 @@ main(void) - test(test_preserve_sbat_uefi_variable_version_older); - test(test_preserve_sbat_uefi_variable_version_olderlonger); - -+ test(test_sbat_var_asciz); -+ - return 0; - } - --- -2.30.2 - diff --git a/debian/patches/block-grub-sbat3-debian.patch b/debian/patches/block-grub-sbat3-debian.patch deleted file mode 100644 index 4b0aa39..0000000 --- a/debian/patches/block-grub-sbat3-debian.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h -index 6b01573e..5b1a764f 100644 ---- a/include/sbat_var_defs.h -+++ b/include/sbat_var_defs.h -@@ -35,8 +35,12 @@ - SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \ - SBAT_VAR_PREVIOUS_REVOCATIONS - --#define SBAT_VAR_LATEST_DATE "2022111500" --#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n" -+/* -+ * Debian's grub.3 update was broken - some binaries included the SBAT -+ * data update but not the security patches :-( -+ */ -+#define SBAT_VAR_LATEST_DATE "2023012900" -+#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n" - #define SBAT_VAR_LATEST \ - SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ - SBAT_VAR_LATEST_REVOCATIONS diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index 683d1b9..0000000 --- a/debian/patches/series +++ /dev/null @@ -1,3 +0,0 @@ -Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch -Enable-NX.patch -block-grub-sbat3-debian.patch